Imagine example.com that is accessible via HTTP and HTTPS. Most of content at site isn't secure and it won't be bad if it will be read by attacker. One of paths - example.com/secure_zone is accessible only via HTTPS and contains information that shouldn't be accessed by attacker. example.com/secure_zone has its cookie with path set to /secure_zone with httponly and secure attributes.

Are there any security issues here? Is there a difference if cookie doesn't have httponly attribute?

1 Answer
1

Theoretically, the Same Origin Policy, and the HttpOnly and Secure attributes, induce the same general model, which is that your HTTP site and your HTTPS site will be seen by the browser as two distinct animals, thus cleanly separated. In practice, this is not entirely true; for instance, while the cookies from the HTTPS site will have the "secure" flag and will not be sent to the HTTP site, the converse is not true. An active attacker, by manipulating data as it flows between the client and the HTTP site, could inject a cookie which will be sent to the HTTPS site.

Usually, it is safer and simpler to go full-HTTPS. It is safer mostly in the following sense: it allows you to educate your users into expecting an end-to-end HTTPS site, with the padlock icon. This makes the users less vulnerable. But these users also connect to your site and use its features, so a vulnerable user is also a problem for you.